Get in Touch
Fortinet releases 40 security patches for security vulnerabilities
Updated 21st February 2023 – 13:21 UTC
Overview
A proof-of-concept (PoC) exploit code has been released by Horizon for the recently disclosed FortiNAC vulnerability, CVE-2022-39952. The PoC related to the implementation of a cron job (scheduled task) to the /etc/cron.d/ directory, that triggers every 60 seconds. This, in turn, initiates a reverse shell to the threat actor, granting them the ability to perform a remote code execution.
The researchers discovered that the remediation for the vulnerability removed the key parameter, ‘keyUpload.jsp’ and after this being written to a configuration file, the ‘configApplianceXml’ bash script is executed. This implements the ‘unzip’ command, allowing files to be placed within any file path, resulting in the threat actor having the capability to create a ZIP archive containing the associated payload. Following the extraction of the archive, the payload can then be sent to the vulnerable endpoint using the key parameter. The PoC code created by the Horizon researchers automates this process.
Updated Affected Products
Products affected by CVE-2022-39952:
– FortiNAC version 9.4.0
– FortiNAC versions 9.2.0 – 9.2.5
– FortiNAC version 9.1.0 – 9.1.7
– FortiNAC 8.8 all versions
– FortiNAC 8.7 all versions
– FortiNAC 8.6 all versions
– FortiNAC 8.5 all versions
– FortiNAC 8.3 all versions
Updated Containment, Mitigations & Remediations
FortiNAC administrators are strongly recommended to apply the following relevant FortiNAC versions that are not affected by CVE-2022-39952:
– FortiNAC version 9.4.1 or above
– FortiNAC version 9.2.6 or above
– FortiNAC version 9.1.8 or above
– FortiNAC version 7.2.0 or above
Further details can be found on the Fortinet Library Webpage.
Updated Further Information
Horizon3.ai Analysis
Bleeping Computer Article
20th February 2023
Target Industry
Indiscriminate, opportunistic targeting.
Overview
Fortinet has released security patches for 40 individual vulnerabilities across the spectrum of their software suite. Two of the vulnerabilities were classified as critical according to CVSS scoring. Of note, an arbitrary code execution and a stack-based buffer overflow vulnerability, being tracked as CVE-2022-39952 (CVSS score: 9.8) and CVE-2021-42756 (CVSS score: 9.3), respectively, were disclosed. The remainder of the vulnerabilities consisted of 15 High, 22 Medium and one Low rated security flaws.
The penetration testing organisation, Horizon3.ai, has stated that they plan to release a proof-of-concept (PoC) code for CVE-2022-39952.
Impact
CVE-2022-39952: An external control of file name or path vulnerability in the FortiNAC web server may allow an unauthenticated threat actor to perform arbitrary write on the system.
CVE-2021-42756: Successful exploitation of this vulnerability could enable an unauthenticated remote threat actor to achieve arbitrary code execution via specifically crafted HTTP requests.
Vulnerability Detection
Fortinet has released patches pertaining to the vulnerabilities for the respective product versions. As such, previous versions are vulnerable to the potential exploits.
Affected Products
Products affected by CVE-2022-39952:
– FortiNAC version 9.4.0
– FortiNAC versions 9.2.0 – 9.2.5
– FortiNAC version 9.1.0 – 9.1.7
– FortiNAC 8.8 all versions
– FortiNAC 8.7 all versions
– FortiNAC 8.6 all versions
– FortiNAC 8.5 all versions
– FortiNAC 8.3 all versions
Products affected by CVE-2021-42756:
– FortiWeb 6.4 all versions
– FortiWeb 6.3.16 and below
– FortiWeb 6.2.6 and below
– FortiWeb 6.1.2 and below
– FortiWeb 6.0.7 and below
– FortiWeb 5.x all versions
Containment, Mitigations & Remediations
It is strongly recommended that the relevant Fortinet patches are applied as soon as possible.
CVE-2022-39952 – Patches have been released for the following FortiNAC versions: 7.2.0, 9.1.8, 9.1.8, and 9.1.8.
CVE-2021-42756 – Patches have been released for the following versions of FortiWeb: 6.0.8, 6.1.3, 6.2.7, 6.3.17, and 7.0.0.
Administrators should also apply updates for the following Fortinet product ranges:
– FortiADC (advanced application delivery controller)
– FortiAnalyzer (log management, analytics, and reporting platform)
– FortiExtender (WAN connections extender)
– FortiOS (operating system used in Fortinet hardware, including FortiGate firewalls)
– FortiProxy (secure web proxy/gateway)
– FortiAuthenticator (user identity management)
– The FortiSwitchManager module
– FortiPortal (portal for service providers)
– FortiSandbox (malware sandbox)
– FortiWAN (multi-WAN management).
Further details regarding each of the 40 vulnerabilities can be found on the Fortiguard Advisory Page.
Indicators of Compromise
No specific Indicators of Compromise (IoCs) are available at this time.
Threat Landscape
Fortinet occupies a significant proportion of the networking-hardware market share. Threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to develop exploits for. As a result, networking hardware products are a prime target for threat actors. Due to the fact that Fortinet products have become an integral aspect of personal and business affairs, threat actors will continue to exploit vulnerabilities in an attempt to exfiltrate sensitive data contained therein or impact associated business operations.
Threat Group
No attribution to specific threat actors or groups has been identified at the time of writing.
Mitre Methodologies
Tactics:
TA0002 – Execution
Techniques – Lateral Movement:
T1210 – Exploitation of Remote Services